Mail Flow Rules (Transport Rules)

To support Prevent (Inline) protection mode for policies, Email Security creates Mail Flow rules (Transport rules). These rules allow Email Security to scan and perform remediation before the email is delivered to the recipient’s mailbox.

Email Security creates these Mail Flow rules (Transport rules).

Check Point - Protect Outgoing Rule
Check Point - Protect Internal Rule
Check Point - Protect Rule
Check Point - Whitelist Rule
Check Point - Junk Filter Low Rule
Check Point - Junk Filter Rule
Check Point - Encryption

Check Point - Protect Outgoing Rule

When is this rule applied?	What does this rule do?	Exceptions
Email is sent Outside the organization. Email is received from a checkpoint_inline_outgoing@[portal domain] group member.	Routes the email using Check Point DLP Outbound Connector. Sets the message header X-CLOUD-SEC-AV-Info with the [portal],office365_emails,sent,inline value. Stops processing more rules.	Sender IP address belongs to one of the relevant IP addresses for Check Point - Protect Outgoing rule. See IP Addresses for Check Point - Protect Outgoing Rule.

Note - [portal] refers to the unique identifier of your Check Point Portal tenant.

Check Point - Protect Internal Rule

When is this rule applied?	What does this rule do?	Exceptions
Recipient is inside the organization and is a member of the inline group. See, Check Point Inline Incoming Group. Sender is inside the organization.	Routes the email using Outbound DLPCheck PointConnector. Adds X-CLOUD-SEC-AV-Info to the header with [portal],office365_emails,internal,inline value.	If the SCL is greater than or equal to 5. Sender IP address belongs to one of the relevant IP addresses for the Check Point - Protect rule. See IP Addresses for Check Point - Protect Internal Rule.

Notes:

[portal] refers to the unique identifier of your Check Point Portal tenant.
Manual changes made to the rule will not be retained unless the Configure excluded IPs manually in mail flow rule option is selected under the Protect rule in the Policy section.

Check Point - Protect Rule

When is this rule applied?	What does this rule do?	Exceptions
Email is received from Outside the organization. Email is sent Inside the organization. Email is sent to checkpoint_inline_incoming@[portal domain] group member.	Routes the email using Check Point Outbound Connector. Sets the message header X-CLOUD-SEC-AV-Info with the [portal],office365_emails,inline value. Stops processing more rules.	Sender IP address belongs to one of the relevant IP addresses for the Check Point - Protect rule. See IP Addresses for Check Point - Protect Rule.

Notes - [portal] refers to the unique identifier of your Check Point Portal tenant.

Check Point - Whitelist Rule

When is this rule applied?	What does this rule do?	Exceptions
Sender IP address belongs to one of the relevant IP addresses for the Check Point - Whitelist rule. See IP Addresses for Check Point - Whitelist Rule.	Sets the Spam Confidence Level (SCL) to -1.	If the message header X-CLOUD-SEC-AV-SCL matches the following patterns: true.

Check Point - Junk Filter Low Rule

This rule is used to mark Microsoft that the email was detected as spam by Check Point and should be delivered to the Junk folder.

When is this rule applied?	What does this rule do?
Sender IP address belongs to one of the relevant IP addresses for the Check Point - Junk Filter Low rule. See IP Addresses for Check Point - Junk Filter Low Rule. X-CLOUD-SEC-AV-SPAM-LOW header matches the following patterns: true	Sets the Spam Confidence Level (SCL) to 6.

Check Point - Junk Filter Rule

This rule is used to mark Microsoft that the email was detected as spam by Check Point and should be delivered to the Junk folder.

When is this rule applied?	What does this rule do?
Sender IP address belongs to one of the relevant IP addresses for the Check Point - Junk Filter rule. See IP Addresses for Check Point - Junk Filter Rule. X-CLOUD-SEC-AV-SPAM-HIGH header matches the following patterns: true	Sets the Spam Confidence Level (SCL) to 9.

Check Point - Encryption

When is this rule applied?	What does this rule do?
Email is sent Outside the organization. X-CLOUD-SEC-AV-Encrypt-Microsoft header matches the following patterns: true Email is received from Inside the Organization.	Rights protect message with RMS template: Encrypt

Notes - This rule is not created during onboarding. It is created only after a customer enables the Microsoft encryption workflow. See Encrypting Outgoing Emails.